ABSTRACT

One of the promising multimedia services is the mobile pay-TV service. Due to its wireless nature, mobile pay-TV is vulnerable to attacks especially during hand-off. In 2011, an efficient anonymous authentication protocol for mobile pay-TV is proposed. The authors claim that their scheme provides an anonymous authentication to users by preventing intruders from obtaining users’ IDs during the mutual authentication between mobile subscribers and head end systems. However, after analysis, it was found that the scheme does not provide anonymous authentication and users can be easily tracked while using their anonymous identity. The scheme is also subject to denial of service attack. In this paper the deficiencies of the original scheme are demonstrated, and then a proposed improved scheme that eliminates these deficiencies is presented.

1. Introduction

With the increased integration of pay-TV and wireless communication, multimedia pay service plays an important role in mobile broadcast TV services [1]. As these services are usually delay-sensitive due to high mobility feature and frequent handoffs, a fast and secure authentication scheme for such mobile broadcast TV services should be developed.

In order to reduce the delay introduced by the high mobility features and frequent handoffs and guarantee a secure and convenient access of services by authorized subscribers, a secure access management mechanism is required. This access management is provided by a conditional access system (CAS). A typical model of CAS consists of two parts, a head end system and numerous receivers, and the model is comprised of several important components [2], which include:

• Subscriber Authorization/Management System (SAS/ SMS):subsystems responsible for subscriber authorization and management;its works including key management, user authentication,entitlement messages delivery,subscriber information management and rights management.

• Encrypter: a component for enciphering Control Word (CW), keys, or sensitive information.

• Multiplexer (MUX): a component for multiplexing A/V, data or IP into MPEG-2 transport stream.

• Scrambler: a component for signal scrambling.

• Transmitter: a subsystem for signal transmission.

• Receiver: a subscriber device with a CAS module used for access control.

Several CASs have been proposed to guarantee a secure and convenient access of services by authorized subscribers. Many studies have classified these schemes into symmetrical key-based schemes and public keybased schemes.

Public key-based conditional access system [3-5] may realize privacy preservation and avoid communicating with a third party during the handoff process. These methods suffer the heavy computation burden. In [6], a subscriber first has to register his subscriber information with a signature to a provider by applying public key cryptosystem. When a subscriber wants to subscribe to any programs, he uses his device to send a subscription message to the provider. The provider then sends a receipt with a signature for confirming this subscription to the subscriber. However, the scheme [6] only protects the customers’ privacy, but not the provider’s [2]. In [7], an “e-ticket” scheme for the authentication of pay-TV system is proposed. The scheme employed an encrypted authentication message with a blind and anonymous signature based on RSA public key cryptosystem to do the mutual-authentication to protect the privacy for both customers and service provider. The schemes proposed in [8] and [9] are based on a public-key cryptosystem employing the technique of the multi-key RSA. While transmitting a requested TV program, the multimedia server and proxy server cooperatively encrypt the requested program without collusion attacks. In public-key cryptosystem each user possess a unique public/private key pair, so a multimedia server has to encrypt services with each user’s specific public key which makes them inefficient and not suitable for mobile pay-TV systems.

Symmetrical key-based conditional access system [10-14] suffers from its troublesome key distribution and the involvement of a third party. In [14], an efficient anonymous authentication protocol for mobile pay-TV is proposed. The authors claim that their scheme provides an anonymous authentication to users by preventing intruders from obtaining users IDs during the mutual authentication between mobile subscribers and head end systems. However, after analysis, it was found that the scheme does not provide anonymous authentication and users can be easily tracked while using their anonymous identity. The scheme also is subject to DoS attack.

In this paper an improved scheme that enhances the Chen’s scheme [14] is proposed. The deficiencies of the original scheme are demonstrated, and then a proposed improved scheme that eliminates these deficiencies is presented. The proposed scheme ensures the anonymity of the subscribers during handoffs operations, and ensures the anonymous mutual authentication between subscribers and head end systems with low computation and communication costs. Finally a mechanism that prevents denial of service attack is proposed.

The rest of this paper is organized as follows: Section ‎2 briefly reviews the Chen’s scheme. Section 3 presents the security analysis of Chen’s scheme. Section ‎4 presents the improved scheme. The security analysis and performance evaluation of the improved scheme are presented in Section ‎5. Finally, Section 6 concludes the paper.

2. Review of the Chen’s Scheme

The scheme proposed in [14] introduced an efficient and anonymous mutual authentication protocol that eliminates the high computational cost and prevents security attacks introduced in a previous related protocol [15]. There are four phases in Chen’s scheme, which includes initialization, issue, subscription and hand-off Phase.

2.1. Initialization Phase

This phase is invoked whenever user U_i registers to the subscribers’ database server (DBS) of HES via Subscriber Authorization System and Subscriber Management System (SAS/SMS) and the DBS saves U_i’s identity ID. Both U_i and HES uses a set-top-box (STB) as a secure channel during this phase. The following steps are performed to complete this phase [14]:

1) U_i chooses his ID_i and pw_i and generates a random number b for calculating. Then, U_i submits ID_i and PWB to the pay-TV system server S.

2) S checks the database whether his ID_i is already in the database or not. If ID_i is already in the database, S checks whether U_i performs a re-registration or not. If U_i performs a re-registration then S sets ID_i’s registration number N = N + 1 and updates ID_i and N in the database otherwise S suggests U_i to choose another ID_i. If ID_i is not in the database then S sets N = 0 and stores values of ID_i and N in the database.

3) S calculates K, UD, Q and K, UD, Q and R, where:

,

,

,

, where y is the secret key of the remote server stored in the hash function and x is the secret key of S.

4) S issues a smart card containing [K, R, Q] to U_i over a secure channel.

5) U_i stores the random number b on the smart card. Such that the smart card contains [K, R, Q, b].

2.2. Issue Phase

Assume that U_i’s mobile subscriber device (MS_i) asks a service R_t and the HES performs this authentication process of issue phase for U_i to obtain a right code. The statements are described as follows:

1) U_i enters his ID_i and PW_i in order to login for obtaining the service, MS_i performs the following computations.

• Calculates and to verify whether. If it does not hold, MS_i terminates the request.

• Calculates and

• Generates a random number n_i and calculates:

,

.

Here T₁ is the current timestamp

• Sends the message to HES.

2) HES receives the message at the timestamp T₂ and performs the following computations:

• Checks the validity of. If it does not hold, HES terminates the request.

• Calculates and verifies if ID_i is a valid user’s identity. If it does not hold, HES terminates the login request, otherwise HES checks the value of N in the database and calculates

, where.

• Calculates and checks whether. If they are equal, HES accepts U_i’s request of authentication.

• Calculates

• Then, HES chooses a token for U_i and stores it into DBS, and calculates:

.

• Broadcasts the mutual authentication message

.

3) After receiving message m₂ at the time T₃, U_i checks the validity of. If it does not hold, U_i terminates the request. Otherwise, U_i executes the following operations to authenticate HES.

• Calculates and checks whether. If they are equal, U_i accepts HES’s request of mutual authentication.

• U_i calculates the certified token

as the authentication session key to get service of the pay-TV system.

2.3. Subscription Phase

After obtaining a right code, U_i’s MS_i asks a service R_t using and the HES performs this authentication process. The statements are described as follows:

1) U_i entries his ID_i and PW_i in order to login for obtaining the service, MS_i performs the following computations.

• Calculates and to verify whether. If it does not hold, MS_i terminates the request.

• Calculates and

.

• Generates a random number n_i and calculates:

,

.

Here T₁ is the current timestamp

• Sends the message to HES.

2) HES receives the message at the timestamp T₂ and performs the following computations:

• Checks the validity of. If it does not hold, HES terminates the request.

• Calculates and verifies if ID_i is a valid user’s identity. If it does not hold, HES terminates the login request, otherwise HES checks the value of N in the database and calculates

, where.

• Calculates and checks whether. If they are equal, HES accepts U_i’s request of authentication.

• Calculates.

• Then, HES chooses a token for U_i and calculates

and.

• Broadcasts the mutual authentication message

.

3) After receiving message m₂ at the time T₃, U_i checks the validity of. If it does not hold, U_i terminates the request. Otherwise, U_i executes the following operations to authenticate HES.

• Calculates and checks whether. If they are equal, U_i accepts HES’s request of mutual authentication.

• U_i calculates the certified token

as the authentication session key to get service of the pay-TV system.

2.4. Hand-Off Phase

When MS_i moves to a new coverage area that older HES cannot support such that a hand-off occurs, MS_i needs to performer-authentication without re-login. The statements are described as follows:

1) MS_i performs the following computations:

• Generates a random number n_i and calculates:

,

.

Here T₁ is the current timestamp

• Sends the message to HES.

2) HES receives the message at the timestamp T₂ and performs the following computations:

• Checks the validity of. If it does not hold, HES terminates the request.

• Calculates and verifies if ID_i is a valid user’s identity. If it does not hold, HES terminates the login request, otherwise HES checks the value of N in the database and calculates

, where.

• Calculates and checks whether. If they are equal, HES accepts U_i’s request of authentication.

• Calculates

• Then, HES chooses a token for U_i and calculates

and

• Broadcasts the mutual authentication message

3) After receiving message m₂ at the time T₃, U_i checks the validity of. If it does not hold, U_i terminates the request. Otherwise, U_i executes the following operations to authenticate HES.

• Calculates and checks whether. If they are equal, U_i accepts HES’s request of mutual authentication.

• U_i calculates the certified token

to obtain new HES’s service.

3. Security Analysis of Chen’s Scheme

In [14] the authors claim several security properties such as anonymous service, mutual authentication, resisting replay attacks, resisting man-in-the-middle-attack, and forgery difficulty. However, in this section, it is shown that Chen’s scheme vulnerable to man-in-the-middleattack which leads to DoS attack. It is al so found that the scheme does not provide anonymous service. The aforementioned weaknesses are presented in detail as follows.

3.1. Corrections to Chen’s Scheme

Before we present the weakness of Chen’s scheme, there are some mistakes in the scheme that should be corrected. In step 3 of the initialization phase (Section 2.1), the system server S calculates R using the following equation:

(1)

Here, y is a secret key of the remote server S which is stored in the hash function and known only to S.

In step 1 of the issue phase (Section 2.2), the mobile subscriber MS extracts from R by computing

and use it to compute

and as follows:

(2)

(3)

As shown in Equations (2) and (3), the authors use

and to compute and

respectively, which is not possible; since the MS_i does not know the secret key y to be able to compute

and. So, the MS could not compute and as and are one way hash functions i.e. it is not possible to extract y from both and. The same mistake is found in step 1 of the subscription phase (Section 2.3) and step 1 of the hand-off phase (Section 2.4) when computing (,) and (,) respectively. To correct this mistake, the MS should replace y by in Equations (2) and (3). This mistake can also be corrected by just replacing by y in Equation in the initialization phase i.e.. We chose the second option.

3.2. Attack on Anonymous Service

The Chen’s scheme is subject to MS tracking attack. This attack can be performed as follows:

1) An attacker registers to the subscribers’ database server (DBS) like any other user and chooses his and and generates a random number b for calculating. Then, A submits and PWB to the pay-TV system server S.

2) S calculates:

.

S issues a smart card containing [K, R, Q] to A over a secure channel.

3) The attacker A reads R from its smart card and compute.

Note that based on the corrections presented in section 3.1, is replaced by in the step 2. Using the computed the attacker A can perform MS tracing attack during issue phase, subscription or hand-off phases as follows:

1) The attacker A intercept message m during any of the three phases and extracts, and from m. Using these three values and the computed, the attacker can compute the MS’ ID () as follows:

(4)

This allows the attacker to track MS_i; since is a fixed value for each user U_i.

2) The attacker A can also know the service that the MS_i asked from HES by intercepting message m during the issue phase and extracting and from m. Using these two values and the computed, the attacker can compute as follows:

(5)

3) The attacker A can also know the right code that used by MS_i to access service by intercepting message m during the subscription or the hand-off phases and extracting or respectively from m. Using either of these two values and the computed, the attacker can compute as follows:

(6)

(7)

3.3. Denial of Service Attack

The scheme is subject to denial of service attack. This attack can be performed through two methods. The first method can be performed during the subscription and hand-off phases by applying man-in-the-middle attack as follows:

1) The attacker A intercept message m₂ during any of the two phases and extract:

or

respectively.

2) The attacker generates a random session key and computes:

or

3) After receiving message m₂, U_i calculates the session key:

• or

This results in U_i and HES using different session keys (respectively) which prevent U_i from getting the service of the pay-TV system.

The second method can be performed during the handoff phase as follows:

1) The attacker uses a rogue HES to transmit messages using a high signal strength in order to force MS_i to discard the signal sent by the legitimate HES and roam with the rogue HES.

2) When MS_i roam with the rogue HES, it needs to perform re-authentication without re-login by sending, where:

.

3) The rogue HES receives the message and immediately reply with message, where

and is a random value generated by the rogue HES.

4) After receiving message m₂ at the time T₃, U_i checks the validity of which should hold; since should equal to the round trip time (RTT) between U_i and the rogue HES. Note that should be less than or equal to 200 milliseconds as stated in [16]. It is clear that the RTT between U_i and the rogue HES is less than 200 milliseconds; since they are within the transmission range of each other.

5) U_i calculates and checks whether and accepts the rogue HES’s request of mutual authentication.

6) U_i calculates the false authentication session key

, which prevents U_i from getting the service of the pay-TV system.

4. The Improved Scheme

To withstand the above attacks, we propose an improved scheme based on the original Chen’s scheme [14] with lightweight modifications. The improved scheme introduces few modifications to the four phases as follows.

4.1. Initialization Phase

As assumed in [14], both S and its HESs share a secret key x. Both U_i and HES use a set-top-box (STB) as a secure channel during this phase. The following steps are performed to complete this phase:

1) U_i chooses his ID_i and pw_i and generates a random number b for calculating. Then, U_i submits ID_i and PWB to the pay-TV system server S.

2) S checks the database whether his ID_i is already in the database or not. If ID_i is already in the database, S checks whether U_i performs a re-registration or not. If U_i performs a reregistration then S sets ID_i’s registration number N = N + 1 and updates ID_i and N in the database otherwise S suggests U_i to choose another ID_i. If ID_i is not in the database then S sets N = 0 and stores values of ID_i and N in the database.

3) S calculates the following values:

•

• A user authentication key for each user

, where x is the secret key of S.

• A new permutation of the MS_i’s ID

() to be used by MS_i’s as a new ID during the next communication with the HES.

• , and

• , and

4) S sends to U_i over the secure channel.

5) U_i computes and stores

.

The user U_i uses to identify itself to the next HES during the issue phase, the subscription phase or the hand-off phase. This new ID should be known to the next HES to be able to authenticate U_i. So, the current HES encrypt the new ID () along with user authentication key and send it to U_i which sends it to the next HES in the next phase. Note that only HESs can decrypt; since the decryption key is generated using the secret key x which is only known to the server S and its HESs.

4.2. Issue Phase

Assume that U_i’s mobile subscriber device (MS_i) asks a service R_t and the HES performs this authentication process of issue phase for U_i to obtain a right code. The statements are described as follows:

1) U_i enters his ID_i and PW_i in order to login for obtaining the service, MS_i performs the following computations.

• Calculates and to verify whether. If it does not hold, MS_i terminates the request.

• Calculates

• Generates a random number n_i and calculates:

.

Here T₁ is the current timestamp

• Sends the message m to HES:

Here is the HMAC of the message m using the key y_i

2) HES receives the message at the timestamp T₂ and performs the following computations:

• Checks the validity of. If it does not hold, HES terminates the request.

• To validate the and the new ID ()HES calculates and

to get the user authentication key y_i .

• Uses to validate then checks whether the computed equal to. If it does not hold, HES terminates the login request, otherwise HES checks the value of N in the database and calculates.

• Calculates and checks whether. If they are equal, HES accepts U_i’s request of authentication.

• Calculates

• Then, HES chooses a token for U_i and stores it into DBS, and calculates:

•

• Computes a new permutation of the MS_i’s ID

() to be used by MS_i’s as a new ID during the next communication with the HES.

• Compute, and

.

• ,.

• Broadcasts the mutual authentication message

.

3) After receiving message m₂ at the time T₃, U_i checks the validity of and uses y_i to validate the HMAC. If they do not hold, U_i terminates the request. Otherwise, U_i executes the following operations to authenticate HES.

• Calculates and checks whether. If they are equal, U_i accepts HES’s request of mutual authentication.

• U_i calculates the certified token

as the authentication session key to get service of the pay-TV system.

• U_i stores, , and.

4.3. Subscription Phase

After obtaining a right code, U_i’s MS_i asks a service R_t using and the HES performs this authentication process. The statements are described as follows:

1) U_i entries his ID_i and PW_i in order to login for obtaining the service, MS_i performs the following computations.

• Calculates and to verify whether. If it does not hold, MS_i terminates the request.

• Calculates.

• Generates a random number n_i and calculates

, and

. Here T₁ is the current timestamp.

• Sends the message m to HES:

.

2) HES receives the message at the timestamp T₂ and performs the following computations:

• Checks the validity of. If it does not hold, HES terminates the request.

• To validate the and the new ID (), HES calculates and

to get the user authentication key y_i.

• Uses to validate then checks whether the computed equal to. If it does not hold, HES terminates the login request, otherwise HES checks the value of N in the database and calculates.

• Calculates and checks whether. If they are equal, HES accepts U_i’s request of authentication.

• Calculates.

• Then, HES chooses a token for U_i and calculates and

.

• Computes a new permutation of the MS_i’s ID () to be used by MS_i’s as a new ID during the next communication with the HES.

• Computes, and

.

• ,.

• Broadcasts the mutual authentication message

.

3) After receiving message m₂ at the time T₃, U_i checks the validity of and uses y_i to validate the HMAC. If they do not hold, U_i terminates the request. Otherwise, U_i executes the following operations to authenticate HES.

• Calculates and checks whether. If they are equal, U_i accepts HES’s request of mutual authentication.

• U_i calculates the certified token

as the authentication session key to get service of the pay-TV system.

• U_i stores, , and.

4.4. Hand-off Phase

When MS_i moves to a new coverage area that older HES cannot support such that a hand-off occurs, MS_i needs to performer-authentication without re-login. The statements are described as follows:

1) MS_i performs the following computations:

• Calculates.

• Generates a random number n_i and calculates

, and

. Here T₁ is the current timestamp.

• Sends the message m to HES:

.

2) HES receives the message at the timestamp T₂ and performs the following computations:

• Checks the validity of. If it does not hold, HES terminates the request.

• To validate the and the new ID (), HES calculates and

to get the user authentication key y_i .

• Uses y_i to validate then checks whether the computed equal to. If it does not hold, HES terminates the login request, otherwise HES checks the value of N in the database and calculates.

• Calculates and checks whether. If they are equal, HES accepts U_i’s request of authentication.

• Calculates

• Then, HES chooses a token for U_i and calculates and

•

• Computes a new permutation of the MS_i’s ID

() to be used by MS_i’s as a new ID during the next communication with the HES.

• Computes, and

•

• ,.

• Broadcasts the mutual authentication message

.

3) After receiving message m₂ at the time T₃, U_i checks the validity of and uses y_i to validate the HMAC. If they do not hold, U_i terminates the request. Otherwise, U_i executes the following operations to authenticate HES.

• Calculates and checks whether. If they are equal, U_i accepts HES’s request of mutual authentication.

• U_i calculates the certified token

as the authentication session key to get service of the pay-TV system.

• U_i stores, , and.

5. Security and Performance Analysis

In this section, the security of the proposed improved scheme with respect to the resistance to user tracking and denial of service attack is analyzed. This section also evaluates the performance of the proposed scheme.

5.1. Resistance to User Tracking

The proposed improved scheme prevents user tracking by ensuring the anonymity feature of users. As discussed in Section 3.2, an attacker can track a legitimate user by registering himself to the subscribers’ database server (DBS) like any other user, then receives which is used by the attacker to compute. Using the computed the attacker A can perform MS tracing attack as described in Section 3.2. The attacker is able to perform this attack; because the server S uses the same secret y to compute the R values for all users. So, if the attacker extracts from his R value, he can use the same to extract the IDs of other uses. 

In the proposed scheme, the server S generate a unique user authentication key for each user using the hash of the user ID and the server’s own secret key x. This prevent an attacker A form using his user authentication key () to extract the IDs of other uses. The proposed scheme also preserves users’ privacy by using pseudo identity, to identify users. This pseudo identity generated using a one-way function combined with the user authentication key, , and the user’s previous: and is updated in each phase. So, it is impossible to anticipate the messages of the user each phase which guarantees indistinguishability. Also the integrity of messages exchanged between users and HES is guaranteed due to the use of timestamps and the HMAC of each message which is included with the message. The HMAC value is computed using the user authentication key () which is only known to U_i and HES.

5.2. Resistance to Denial of Service Attack

As discussed in Section 3.3, Chen’s scheme is subject to denial of service attack. The attacker can perform this attack because the integrity of message m₂ of the subscription and hand-off phases is not guaranteed. So, an attacker can easily modify or during the subscription or hand-off phases without being detected by U_i which prevents him from getting the service of the payTV system.

In the proposed scheme, the integrity of messages exchanged between users and HES is guaranteed due to the use of timestamps and the HMAC of each message which is included with the message. The HMAC value is computed using the user authentication key, () which is only known to U_i and HES. This prevents the DoS attack that can be launched against the Chen’s scheme as described in Section 3.3. This also prevents the attacker from making an impersonation attack and replay attacks using the open values and some modified values.

5.3. Performance Analysis

This section evaluates the performance of the proposed scheme. To analyze the efficiency of the proposed scheme, the proposed scheme is compared with the Chen’s scheme [14]. The efficiency of the proposed scheme is analyzed with the same metrics used in Chen’s scheme analysis. We define the notation as the hash computation time and as the symmetric encryption/decryption time. The four phases of both the Chen’s scheme and the proposed scheme are simulated and implemented using OpenSSL library [17] on an Intel DualCore CPU at 2.30 GHz. Table 1 shows a comparison between the Chen’s scheme and the proposed scheme with respect to the hash computation time and the symmetric encryption/ decryption time. Note that we neglect the XOR operation since it is an extremely light-weight one. As shown in Table 1, the proposed scheme takes the following extra operation for each phase:

• It takes extra 3 hash operations and more two symmetric encryption/decryption about extra 62 μs for the initialization phase.

• It takes extra 6 hash operations and more four symmetric encryption/decryption about extra 81 μs for the issue phase.

• It takes extra 6 hash operations and more four symmetric encryption/decryption about extra 81 μs for the subscription phase.

• It takes extra 8 hash operations and more four symmetric encryption/decryption about extra 89 μs for the hand-off phase.

This indicates that the proposed scheme introduces a minor increase in computation overhead, which is the cost to enhance the security of the original scheme.

6. Conclusion

Recently, an efficient anonymous authentication protocol for mobile pay-TV is proposed [14]. However, the scheme is vulnerable to user tracking attack and denial of service attack. An improved scheme is proposed to prevent these two attacks by lightweight modifications and, thus, can be applied in environments requiring a high level of security. The improved scheme introduces a minor increase in computation overhead and maintains the

same number of messages of the original scheme.

REFERENCES